Sponsored Ads

The Web Security Mailing List

"We took area51.phpBB.com down along with phpBB.com to ensure integrity
and prevent further damage. While we actively work to bring phpBB.com
back online, we would also like to inform you of the damage that has
been done.

The attacker gained entry through the PHPList
application and was able to dump a complete backup of the emails on
file. He then used the same exploit to access the phpBB.com database.
Both the email list from PHPlist and a copy of the phpBB.com users
table were then posted publicly.

phpBB3 uses a complex hashing
algorithm in order to prevent someone from determining the plaintext
value of a password. phpBB2, however, used a much simpler and less
secure md5 algorithm to store passwords. This is one of the many
reasons why we have decided to no longer support the phpBB2 software.
Because hashes cannot be reversed, phpBB3 is set to convert phpBB2
hashes to the new phpBB3 standard during the first user login. Those
users who registered while phpBB.com used phpBB2 and did not login on
the new phpBB3 board continue to have their password hashes stored in
the old format. Passwords stored in the old format are much less secure
than those stored in the new format. The attackers have been focusing
purely on the passwords stored in the old format."

Further below provided an interesting snippet.

"We apologise for not securing our servers in time to prevent this from
happening. This demonstrates how critically important it is to always
make sure that you keep up to date with any software that is running on
your machine. Intrusion is possible even before a patch is provided to
fix a vulnerability. At this time, the team is working around the clock
to restore phpBB.com and other resources."

So if you use phpbb for software on your site, they're sorry they got hacked, honest.